Method for quantum generation of random numbers especially in lotteries and gaming and device for quantum generation of random numbers

ABSTRACT

The presented invention relates to a method and device for the quantum generation of random numbers. The invention can be implemented in generation of random numbers in lotteries and gaming. The device for a self-testing quantum number generator especially in lotteries and gaming comprising: interferometer, a control unit CU connected to the signal source S, the signal is with interference property, components A that modify the signal&#39;s properties, and detectors D for measuring the signal&#39;s intensity by electrical wires. Components A are controlled by the control unit CU via electrical wires with parameters x. Detectors D are configured to measure signal intensity and send the measurement results d, via electrical wires to the control unit CU. The control unit CU performs a self-test based on the measurement results d and returns its outcome Hmin. The control unit CU returns random numbers d, and the result of self-test Hmin.

The presented invention relates to a new method and device for the quantum generation of random numbers. The invention can be implemented in generation of random numbers in lotteries and gaming. The invention allows generation of binary or non-binary random number chains with high generation rates.

The existence of random processes, in addition to having philosophical consequences, has application in various disciplines of technology. Random numbers are essential in lottery and gaming industry as well as for scientific simulations. The standard measure of the quality of randomness generated is called min-entropy and is related to the probability of guessing a number of the sequence generated before it is announced. A good random number generator should be able to produce a bit string with a high entropy at a high rates.

In general, random number generators can be divided into two categories: pseudorandom number generators (PRNGS) and true random number generators (TRNGs). The PRNG are based on complex mathematical algorithms that simulate randomness generation what is disclosed in Gentle JE (2003), Random Number Generation and Monte Carlo Methods, Springer. In this case, the privacy or unpredictability of random numbers is not guaranteed and depends on additional considerations what is disclosed in CH Vincent, “The generation of truly random binary numbers,” J. Physics E, vol. 3) No. 6, pp. 594-598, 1970.

For example, if the seed of the algorithms is known to an adversary, the numbers generated will not be private—Barker E., Kelsey J., Recommendation for Random Number Generation Using Deterministic Random Bit Generators, NIST SP800-90A, January 2012. Other problems related to the implementation of the algorithm also can compromise privacy—L. Bello. “Openss1—predictable random number generator”. Debian Security Advisory, 1571-1, 2008, such as its periodicity or lack of uniformity.

On the other hand, TRNGs are based on one or more physical processes whose results are unpredictable. Some types of TRNGs are the LavaRnd (www.lavarnd.org), which digitizes a chaotic light source with a CCD chip, and the Araneus Alea II (www.araneus.fi/products/alea2/en/), which uses a reverse biased semiconductor junction to generate white Gaussian noise. Random numbers can also be generated by exploring random phenomena of nature, such as radioactive decay (www.fourmilab.ch/hotbits/), or atmospheric noise (www.random.org). Another option are quantum random number generators (QRGNs) based on the intrinsic uncertainty of the measurement processes of quantum systems what is disclosed e.g. in EP1821196.

In all these cases the private randomness or unpredictability of the numbers generated is based on theoretical models that guarantee the security of the generator, considering its operation free of anomalies, failures or malicious attacks. In practice, regularities in the numbers generated arise as a result of the inevitable use of non-ideal components in non-ideal conditions or periodic disturbances intrinsic to the system, such as: temperature fluctuations, human activity, component wear, among others. For this reason the sequence of random numbers generated must be certified in order to guarantee the operation of a generator that meets the desired quality. Statistical tests of randomness have been created (DieHarder, NIST STS 2.1.2), that look for different types of correlations between the numbers generated. Unfortunately, these tests cannot guarantee the unconditional security of a device what is disclosed in Darren Hurley-Smith and Julio Hernandez-Castro. “Quam Bene Non Quantum: Bias in a Family of Quantum Random Number Generators.” School of Computing, University of Kent, Canterbury CT2 7NF, Kent, UK.

However, there are setups where it is possible for a random number generator to self-certify, that is, to analyse itself continuously during its operation, in order to guarantee unconditional security. In this direction, different proposals have emerged for what is known today as “device-independent QRNGs” (DI-QRNGs)— e.g. Davide Rusca, Thomas van Himbeeck Anthony Martin, Jonatan Bohr Brask, Weixu Shi, Stefano Pironio, Nicolas Brunner, Hugo Zbinden. “Practical self-testing quantum random number generator based on an energy bound”. arXiv: 1904.04819, 2019. The DI-QRNGs proposed so far are not practical because they are based on complex protocols of quantum information, known as Bell tests, disclosed in Anatoly Kulikov, Markus Jerger, Anton Potoc̆nik, Andreas Wallraff, and Arkady Fedorov. “Realization of a Quantum Random Generator Certified with the Kochen-Specker Theorem.” Phys. Rev. Lett. 119, 240501, 2017, and require entangled particles. In these cases, the user can certify the generation of true random numbers. Specifically, the amount of min-entropy generated by the system can be estimated directly from the observed data. In this way, the generator self-certifies in real time the randomness or unpredictability of the numbers generated and, therefore, there is no need to perform statistical tests on the generated bit sequence. Unfortunately, in practice, DI-QRNGs require complex, bulky and very expensive hardware and even with it randomness generation has only been achieved at very low rates—Davide G. Marangon, Giuseppe Vallone, and Paolo Villoresi. “Source-Device-Independent Ultrafast Quantum Random Number Generation.” Phys. Rev. Lett. 118, 060503, 2017, severely limiting applications.

In EP 1447740 a microprocessor including a random number generator RNG that performs a self-test on reset and selectively enables/disables itself based on the self-test results is disclosed. The RNG includes a self-test unit that performs the self-test to determine whether the RNG is functioning properly in response to either a power-up or warm reset. If the self-test fails, the microprocessor disables the RNG. Disabling the RNG may include returning extended function information indicating the RNG is not present in response to execution of a CPUID instruction. Disabling the RNG may include generating a general protection fault in response to execution of a RDMSR or WRMSR instruction specifying an MSR associated with the RNG. Disabling the RNG may include generating an invalid opcode fault in response to execution of an instruction that attempts to obtain random numbers from the RNG. It is a device which self-tests itself at start-up. However, not entropy but some basic characteristics of the device are tested. Moreover it is not a device based on quantum mechanics but based on classical physics and therefore the self-test procedure is not very precise.

EP 3040853 describes a random number generator (1, 1000) that includes means to measure two continuous observables of an electromagnetic field prepared in a quantum state, and conversion means to obtain, by the measure of each observable, a first and a second sequence of bits. A processing unit calculates the conditional min-entropy of the random variable associated with the first sequence. A unit of post-processing extracts a third sequence of random bits whose length depends on the conditional min-entropy of the first sequence. The output of the post-processing unit is therefore a set of random bits that can be inserted in a data signal, such as a signal that carries a cryptographic key. The invention is also related to a method for generating random numbers. This device is a quantum one but does not perform self-testing. It estimates the entropy of its outcomes but it is only based on the probability distribution of the output but not the conditional probability of outputs and inputs.

In US 2015/227343 it is described a system and method for generating random numbers. The system may include a random number generator (RNG), such as a quantum random number generator (QRNG) configured to self-correct or adapt in order to substantially achieve randomness from the output of the RNG. By adapting, the RNG may generate a random number that may be considered random regardless of whether the random number itself is tested as such. As an example, the RNG may include components to monitor one or more characteristics of the RNG during operation, and may use the monitored characteristics as a basis for adapting, or self-correcting, to provide a random number according to one or more performance criteria. This device has input and output parameters but it does not use it to estimate entropy but the efficiency of its operation (according to unspecified criteria) and modifies its input to maximize it. Our device cannot choose its own inputs.

In WO 2018/065593 a device that performs self-certification of randomness is mentioned, but it has a source which needs to produce one of the two possible states with a well-defined overlap.

Accordingly, there is still need for a technological solution which allows to obtain random numbers with a self-testable unpredictability for the generated stream.

The goal of the invention was to provide the generator and methods that enable to generate unpredictable string of numbers at high rates, characterized by high entropy which can be self-tested in real time.

The invention is based on physical processes for the generation and detection of quantum states which final result is intrinsically random. Of particular importance is that the invention self-test itself, i.e.: allows the real-time certification of the randomness it generates. In this way the correct functioning of the equipment is always corroborated, and the security of the numbers generated is not conditioned on the implementation of subsequent statistical tests. The scheme is easy to implement, efficient in extracting the final sequence of random numbers, robust against imperfections of the device components, and allows the generation of binary or non-binary random number chains with high generation rates.

The invention—present method and technological device propose a fairly practical quantum true random number generator, which is self-certifiable in real time. The device's operation is based on the active manipulation of interferometers. This technology offers in particular ease of implementation, which only requires standard components, easily commercially available that can be integrated to build the device. In this way, a reduced integrated system of lower cost and less complex than the existing ones is proposed. The device offers high rates of randomness generation (of the order of Mbit/s). Another advantage is that the min-entropy of the random bits generated is calculated and monitored in real time, unlike in most existing solutions.

The essential difference of the invention in compared to state of the art is that it constantly monitors the entropy of the generated randomness with a method that does not require a characterized quantum state source nor measurements with characterized devices. This invention has a wide scope of applicability in lottery and gaming industry because it guarantees robustness against imperfections of all the components the random number generating device consists of. Any initial problem or tampering with its components will be detected at start-up and any malfunction or wear during device's operation. Accordingly if the results obtained will not be random numbers, the measured entropy will be 0 what will be detected by the invention.

The invention is described in details in examples and drawings:

FIG. 1 —a standard multipath interferometer;

FIG. 2 a — device based on an interferometer modified by the addition of extra signal modification components and detectors;

FIG. 2 b — device based on an interferometer modified by the addition of extra signal modification components;

FIG. 2 c — device based on an unmodified interferometer;

FIG. 3 —particular embodiment of the invention—application in lottery and gaming;

FIG. 4 —schematic of the control unit CU present in FIGS. 2 a, 2 b and 2 c.

GENERAL EXAMPLE

a) System—generator

INTRODUCTION

The device consists of two main parts: (a) interferometer; and (b) control unit CU. The interferometer is a well-known apparatus, which is described in the next paragraph. The interferometer constituting part of the device can be modified by placing additional components. The control unit governs the work of the interferometer and self-tests the quality of randomness produced by the interferometer. The self-test is performed by computing a lower bound on min-entropy of the output sting of numbers.

Interferometer

An interferometer is a device that is used to measure interference properties of waves in a form of signal. In FIG. 1 ), a schematic diagram of an interferometer is presented.

The interferometer has a signal that comes from a source (S) and consists of n paths. The signals can be modified according to the parameters(x₁, . . . , x_(n)) in the control components A₁, . . . , A_(n). The interference takes part in the interference region (I) and then the signals are measured at the detection stations (D₁, . . . , D_(m)). The number of detectors m usually is but does not have to be equal to the number of paths.

The initial signal in the form of a wave is emitted from a source S and travels along two or more paths. The signal can be anything with interference properties, e.g. particles, electric current, light or acoustic waves. In each path, the signals can be modified independently, to change its properties in the components denoted by A₁, . . . , A_(n), according to the configuration of their input parameters (x₁, . . . , x_(n)). Then the signals interfere in the interference region I-region indicated in FIG. 1 ). After leaving interference region I, the signals are measured at the stations denoted by (D₁, . . . , D_(m)), which represent the detectors. The number of stations m can but does not have to be equal to the number of paths n. The joint probability distribution of the measurement results at the detection stations p(D₁, . . . , D_(m)), is measured as a function of the input parameters (x₁, . . . , x_(n)), in order to establish the signal interference properties.

Underlying Idea

The described invention is based on the interferometer presented in the previous paragraph and control unit connected to it. The main idea of this invention is based on the fact that for some combination of input parameters (x₁, . . . , x_(n)) from a control unit CU, the outcomes of the detection stations should be deterministic and for other completely random, if the device works correctly. Checking for deviations and estimating their magnitude when we expect the determinism allows us to quantify the current quality of the device and randomness it produces. The outcomes of the device are random in a way which admits self-testing only if the behaviour of the device can be modelled by quantum theory (not any classical one).

Construction of the Device

The device comprises interferometer and control unit CU, which is presented in FIG. 2 a-2 c . The interferometer can be kept unchanged as in FIG. 1 ) or modified by addition of extra components on some or all of the paths. The additional components denoted by B₁, . . . , B_(k), get their own inputs (y₁, . . . , y_(k)) from a control unit CU as in FIG. 2 a ) or can involve additional detection stations (D′₁, . . . , D′_(k)) as in FIG. 2 b ). The control unit CU can take a form of an FPGA or ASIC microprocessor, with auxiliary known electronics if necessary.

The source of the signal, basic components of the interferometer (x₁, . . . , x_(n)), optional ones (y₁, . . . , y_(k)), the detectors (D₁, . . . , D_(m)) and, additional detection stations (D′₁, . . . , D′_(k)) if they exist, are controlled by a control unit CU. {right arrow over (d)} stands for the messages from the detectors (D₁, . . . , D_(m)) and, if they exist, (D′₁, . . . , D′_(k)) to CU and {right arrow over (x)} for all the inputs—parameters (x₁, . . . , x_(n)) and, if additional parameters if they exist, (y_(r), . . . , y_(k)). The control unit CU itself has four main components: timer T, hardware driver HD, memory M and computing processor CP, all communicating via electrical wires.

According to the FIG. 2 a —in the device a signal comes from a source (S) and travels along n paths. The signals is modified according to the parameters (x₁, . . . , x_(n)) in the control CU components A₁, . . . , A_(n). On some of the paths there are additional components B₁, . . . , B_(k), with their own parameters (y₁, y_(k)). Based on the value of y_(i) on i-th path the signal either continues on its path or is redirected to one of the additional detectors D′₁, . . . , D′_(k). The signals that stayed on their paths interfere in the interference region (I) and are later measured at the stations D₁, . . . , D_(m). A control unit CU in a form of FPGA or ASIC which controls the rest of the device has a timer which divides device's operation into steps. In each step CU causes the signal source (S) to send the signals, generates inputs (x₁, . . . , x_(n)) and (y_(r), . . . , y_(k)), which are communicated by electrical wires to components A₁, . . . , A_(n) and B₁, . . . , B_(k). In each step all the detectors D₁, . . . , D_(m) and D′₁, . . . , D′_(k) measure incoming signals and send via electrical wires the measurement results a to CU. In each step CU sends {right arrow over (d)} and min-entopy estimate H_(min) for that step to the user.

As is presented in the FIG. 2 b , in the device a signal comes from a source (S) and travels along n paths. The signals can be modified according to the parameters (x₁, . . . , x_(n)) in the control components A₁, . . . , A_(n). On some of the paths there are additional components B₁, . . . , B_(k), with their own parameters (y_(r), . . . , y_(k)). The signals pass through both sets of components. The interference takes part in the interference region and then the signals are measured at the detection stations D₁, . . . , D_(m). The control unit CU in a form of FPGA or ASIC which controls the rest of the device has a timer which divides device's operation into steps. In each step CU causes the signal source (S) to send the signals, generates inputs (x₁, . . . , x_(n)) and (y_(r), . . . , y_(k)), which are communicated by electrical wires to components A₁, . . . , A_(n) and B₁, . . . , B_(k). In each step all the detectors D₁, . . . , D_(m) measure incoming signals and send via electrical wires the measurement results a to CU. In each step CU sends a and min-entopy estimate H_(min) for that step to the user.

As is presented in the FIG. 2 c , in the device a signal comes from a source (S) and travels along n paths. The signals can be modified according to the parameters (x₁, x_(n)) in the control components A₁, . . . , A_(n). The interference takes part in the interference region and then the signals are measured at the detection stations D₁, . . . , D_(m). The control unit CU in a form of FPGA or ASIC which controls the rest of the device has a timer which divides device's operation into steps. In each step CU causes the signal source (S) to send the signals, generates inputs (x₁, . . . , x_(n)) which are communicated by electrical wires to components A₁, . . . , A_(n). In each step all the detectors D₁, . . . , D_(m) measure incoming signals and send via electrical wires the measurement results {right arrow over (d)} to CU. In each step CU sends {right arrow over (d)} and min-entopy estimate H_(min) for that step to the user.

Method Generation of Randomness

The control unit's CU internal structure is shown in FIG. 4 . CU works in steps. Each step begins by timer T sending a signal to the hardware driver HD notifying it that the new step has started. Then the hardware driver HD retrieves random variable x from memory M. Next the hardware driver HD transmits {right arrow over (x)} to components A₁, . . . , A_(n) and B₁, . . . , B_(k) and commands the source S to send the signal. After the signal has been measured by the detectors (D₁, . . . , D_(m)) and, if they exist, (D′₁, . . . , D′_(k)), they send a to the hardware driver HD, which passes it to memory M. Next the computing processor CP retrieves the set of {right arrow over (d)} and {right arrow over (x)} from memory M and from them the result of self-test, which is a lower bound on min-entropy H_(min)({right arrow over (d)}|{right arrow over (x)}) of {right arrow over (d)} is computed. It is a standard measure of randomness quality in information theory. The method used by CP to compute H_(min)({right arrow over (d)}|{right arrow over (x)}) is described in the next section. The step ends with CP transmitting {right arrow over (d)} and H_(min)({right arrow over (d)}|{right arrow over (x)}) to the user. {right arrow over (d)} is a random number generated in this step and H_(min)({right arrow over (d)}|{right arrow over (x)}) the result of self-test.

CP also uses randomness extractor (a well-known mathematical function) to obtain from {right arrow over (d)} the value of {right arrow over (x)} which is sent to memory M and will be used for the settings of components A₁, . . . , A_(n) and B₁, . . . , B_(k) in the next step.

Self-Testing. Part 1: Estimation of Probability Distribution p({right arrow over (d)}|{right arrow over (x)})

The method used to establish and update H_(min)({right arrow over (d)}|{right arrow over (x)}) based on {right arrow over (d)} and {right arrow over (x)} works in the following way:

The control unit CU stores in its memory M values of {right arrow over (d)} and {right arrow over (x)} for the last N₀ steps. N₀ is a free parameter chosen by the user. In each step next pair of {right arrow over (d)} and {right arrow over (x)} is added and the one which is in memory for longest removed. The current content of the memory is a list of pairs ({right arrow over (d)}_(i), {right arrow over (x)}_(i))i=1, . . . , N₀ and the value of {right arrow over (x)} for the next step. The value of H_(min)({right arrow over (d)}|{right arrow over (x)}) returned in any given step is then a lower bound on the average min-entropy of {right arrow over (d)} for the block of last N₀ steps.

First conditional probability distribution p({right arrow over (d)}|{right arrow over (x)}) of {right arrow over (d)} as a function of {right arrow over (x)} is estimated by the control unit CU. It is taken to be equal to the frequency of any given value of a for any particular {right arrow over (x)} in the block of the last N₀ steps and given by the formula:

${{p\left( \overset{\rightarrow}{d} \middle| \overset{\rightarrow}{x} \right)} = \frac{\sum_{i = 1}^{N_{0}}{{\delta\left( {\overset{\rightarrow}{d},{\overset{\rightarrow}{d}}_{i}} \right)}{\delta\left( {\overset{\rightarrow}{x},{\overset{\rightarrow}{x}}_{i}} \right)}}}{\sum_{i = 1}^{N_{0}}{\delta\left( {\overset{\rightarrow}{x},{\overset{\rightarrow}{x}}_{i}} \right)}}},$

where δ(a, b) is Kronecker's function equal to 1 if a=b and 0 otherwise. Self-Testing. Part 2: Estimation of Min-Entropy H_(min)({right arrow over (d)}|{right arrow over (x)})

It will call p({right arrow over (d)}|{right arrow over (x)}) an observed probability distribution and assume it to arise from underlying probabilities p_(γ)({right arrow over (d)}|{right arrow over (x)}, {right arrow over (λ)}). There are two kinds of parameters here to which we don't have a direct access:

-   -   γ denotes properties of the interferometric setup such as losses         in different paths or the characteristics of interference         region I. While they can evolve in time they do so slowly enough         for us to assume that γ is constant in the whole block of last         N₀ steps.     -   {right arrow over (λ)} on the other hand, represents parameters         that can change in every step of operation of the device. Such a         quick change of parameters can only appear in electronic         circuits controlling the behaviour of the signal source S and         detectors (D₁, . . . , D_(m)) and, if they exist, (D′₁, . . . ,         D′_(k)). Therefore, we use notation {right arrow over (λ)}=(λ₀,         λ₁, . . . , λ_(D)), where D is the total number of detectors         equal to m for the case in FIG. 2 a ) or m+k for the one in FIG.         (2 b). λ₀ is a parameter related to the signal source and λ_(i)         is related to detector D_(i).

The control unit CU stores in its memory a finite set of pairs p_(γ)({right arrow over (d)}|{right arrow over (x)}, {right arrow over (λ)}) and H_(γ)({right arrow over (d)}|{right arrow over (x)}, {right arrow over (λ)}), which were calculated previously by modelling the behaviour of the device as a function of γ and {right arrow over (λ)}. The exact parametrization of the device by γ and A and their ranges depend on the choice of the security paradigm. For example in order to model the device we may assume that there are no rapid changes in the parameters of the device and A is constant, or that signal source produces always single photons. The device can store more than one set and the user can switch between different paradigms trading level of security for higher randomness generation rates. To make the set of pairs p_(γ)({right arrow over (d)}|{right arrow over (x)}, {right arrow over (λ)}) and H_(γ)({right arrow over (d)}|{right arrow over (x)}, {right arrow over (λ)}) finite the parameters γ and {right arrow over (λ)} may need to be coarse-grained. Then for every value of γ and {right arrow over (λ)} p_(γ)({right arrow over (d)}|{right arrow over (x)}, {right arrow over (λ)}) is calculated. Then H_(γ) ({right arrow over (d)}|{right arrow over (x)}, {right arrow over (λ)}) is taken to be the minimal min-entropy of probabilities p_(Γ)({right arrow over (d)}|{right arrow over (x)}, {right arrow over (Λ)}), where Γ and Λ denote sets of values which, when coarse-grained, yield γ and {right arrow over (λ)} respectively, i.e.:

${H_{\gamma}\left( {\left. \overset{\rightarrow}{d} \middle| \overset{\rightarrow}{x} \right.,\overset{\rightarrow}{\lambda}} \right)} = {{\min\limits_{\Gamma,\Lambda}\left( {{- \log}\max{p_{\Gamma}\left( {{\overset{\rightarrow}{d} = \left. \overset{\rightarrow}{k} \middle| \overset{\rightarrow}{x} \right.},\overset{\rightarrow}{\Lambda}} \right)}} \right)}.}$

Let us denote the probability distribution of {right arrow over (λ)} as p({right arrow over (λ)}) Then the min-entropy of potential adversary for a particular value of γ is lower bounded by

H _(γ)({right arrow over (d)}|{right arrow over (x)})=Σ_({right arrow over (λ)}) p({right arrow over (λ)})H _(γ)({right arrow over (d)}|{right arrow over (x)},{right arrow over (λ)})(*).

The observed probability distribution for a particular value of γ is then

p _(γ)({right arrow over (d)}|{right arrow over (x)})=Σ_({right arrow over (λ)}) p({right arrow over (λ)})p _(γ)({right arrow over (d)}|{right arrow over (x)},{right arrow over (λ)}).

Now the control unit CU can perform linear programming to find minimum of (*) under the constraint that |p_(γ)({right arrow over (d)}|{right arrow over (x)})−p({right arrow over (d)}|{right arrow over (x)})|<ϵ, where ϵ is a constant implied by coarse-graining chosen. The meaning of this constraint is that the linear program is trying to find lowest min-entropy H_(γ)({right arrow over (d)}|{right arrow over (x)}) compatible with the observed probability distribution. After solving the linear program for all values of γ the lower bound on H_(min)({right arrow over (d)}|{right arrow over (x)}) is taken to be minimum over all values of γ, i.e.

${H_{\min}\left( \overset{\rightarrow}{d} \middle| \overset{\rightarrow}{x} \right)} = {\min\limits_{\gamma}{{H_{\gamma}\left( \overset{\rightarrow}{d} \middle| \overset{\rightarrow}{x} \right)}.}}$

EXAMPLE 2 Description of the Preferred Embodiment of the Invention

The preferred embodiment of the invention (shown in FIG. 3 )), is based on a four-arm Mach-Zehnder interferometer built with modern fiber optic technology.

The user of the device is a lottery, which needs random numbers of the results of a draw. It starts the procedure of obtaining them by giving a signal to the control unit CU of the device to produce the numbers.

The role of the control unit CU is played by a field-programmable gate array (FPGA) electronic unit. It contains all the necessary elements of the control unit CU: Memory M, Timer T, Hardware Driver HD and Computing Processor CP. The FPGA unit controls and synchronises the signal source S, signal modifying components A and B and detectors D.

After the light is emitted from the laser optical attenuators are then used to reduce initial signal intensity. The attenuators set the average number of photons per pulse to μ=0.2. In this case, the source can be seen as a good approximation of a nondeterministic source of single photons. We use standard ket notation of quantum information and describe the state of light after a single photon is generated by|x₀

=|0

.

After the attenuators, the signal is split into four paths using 4×4 multi-port beam splitter unit (MBS₀). This unit consists of a commercial demultiplexer (DEMUX) device, with 1 fiber as an input and 4 independent fibres as an output. It implements a 4-dimensional Hadamard gate operation:

$U_{H} = {{\frac{1}{2}\begin{bmatrix} 1 & 1 & 1 & 1 \\ 1 & 1 & {- 1} & {- 1} \\ 1 & {- 1} & 1 & {- 1} \\ 1 & {- 1} & {- 1} & 1 \end{bmatrix}}.}$

The quantum state of light after it leaves the source is

$\left. \left. {\left. {\left. {\left. {\left. {❘\chi_{1}} \right\rangle = {\frac{1}{2}\left( {❘0} \right.}} \right\rangle + {❘1}} \right\rangle + {❘2}} \right\rangle + {❘3}} \right\rangle \right),$

where |k> is the mode representing the photon in the k-th path.

The device follows the schematics from FIG. 2 b . The role of components A₁, . . . , A₄ is played by phase modulators (PM) connected to each of—fibers—leaving MBS₀. The role of parameters (x₁, . . . , x₄), is played by phases ϕ₀ ^(A), ϕ₁ ^(A), ϕ₂ ^(A), ϕ₃ ^(A). The FPGA controls ϕ₀ ^(A), ϕ₁ ^(A), ϕ₂ ^(A), ϕ₃ ^(A) by applying different voltages to the drivers of PMs. After passing through components A₁, . . . , A₄ the state of light becomes

$\left. \left. {\left. {\left. {\left. {\left. {❘\chi_{2}} \right\rangle = {\frac{1}{2}\left( {e^{i\phi_{0}^{A}}{❘0}} \right.}} \right\rangle + {e^{i\phi_{1}^{A}}{❘1}}} \right\rangle + {e^{i\phi_{2}^{A}}{❘2}}} \right\rangle + {e^{i\phi_{3}^{A}}{❘3}}} \right\rangle \right),$

The role of components B₁, . . . , B₄ is played by another set of—phase modulators (PM) connected to each of—fibers. The role of parameters (y₁, . . . , y₄), is played by phases ϕ₀ ^(A), ϕ₁ ^(A), ϕ₂ ^(A), ϕ₃ ^(A). The FPGA controls ϕ₀ ^(A), ϕ₁ ^(A), ϕ₂ ^(A), ϕ₃ ^(A) by applying different voltages to the drivers of PMs. After passing through components B₁, . . . , B₄ the state of light becomes

$\left. \left. {\left. {\left. {\left. {\left. {❘\chi_{3}} \right\rangle = {\frac{1}{2}\left( {e^{i{({\phi_{0}^{A} + \phi_{0}^{B}})}}{❘0}} \right.}} \right\rangle + {e^{i{({\phi_{1}^{A} + \phi_{1}^{B}})}}{❘1}}} \right\rangle + {e^{i{({\phi_{2}^{A} + \phi_{2}^{B}})}}{❘2}}} \right\rangle + {e^{i{({\phi_{3}^{A} + \phi_{3}^{B}})}}{❘3}}} \right\rangle \right),$

The role of the interference region I is played by another 4×4 multi-port beam splitter unit (MBS₁) build in the same way as (MBS₀) and performing the same transformation. After that, the state of light becomes

$\left. \left. {\left. {\left. {\left. {\left. {❘\chi_{4}} \right\rangle = {\frac{1}{2}\left( {\left\lbrack {e^{i{({\phi_{0}^{A} + \phi_{0}^{B}})}} + e^{i{({\phi_{1}^{A} + \phi_{1}^{B}})}} + e^{i{({\phi_{2}^{A} + \phi_{2}^{B}})}} + e^{i{({\phi_{3}^{A} + \phi_{3}^{B}})}}} \right\rbrack{❘0}} \right.}} \right\rangle + {\left\lbrack {e^{i{({\phi_{0}^{A} + \phi_{0}^{B}})}} + e^{i{({\phi_{1}^{A} + \phi_{1}^{B}})}} - e^{i{({\phi_{2}^{A} + \phi_{2}^{B}})}} - e^{i{({\phi_{3}^{A} + \phi_{3}^{B}})}}} \right\rbrack{❘1}}} \right\rangle + {\left\lbrack {e^{i{({\phi_{0}^{A} + \phi_{0}^{B}})}} - e^{i{({\phi_{1}^{A} + \phi_{1}^{B}})}} + e^{i{({\phi_{2}^{A} + \phi_{2}^{B}})}} - e^{i{({\phi_{3}^{A} + \phi_{3}^{B}})}}} \right\rbrack{❘2}}} \right\rangle + {\left\lbrack {e^{i{({\phi_{0}^{A} + \phi_{0}^{B}})}} - e^{i{({\phi_{1}^{A} + \phi_{1}^{B}})}} - e^{i{({\phi_{2}^{A} + \phi_{2}^{B}})}} + e^{i{({\phi_{3}^{A} + \phi_{3}^{B}})}}} \right\rbrack{❘3}}} \right\rangle \right).$

Then the light is measured by the detectors. Photons in mode|0

are measured by the detector D₁, those in |1

are measured by the detector D₂, those in |2

are measured by the detector D₃, and those in |3

are measured by the detector D₄. The detectors are triggered commercial InGaAs single-photon avalanche detectors.

The detectors send the measurement outcomes to FPGA which estimates min-entropy H_(min)({right arrow over (d)}|{right arrow over (x)}). The FPGA pots-process a with well-known method of randomness extraction, which takes as an input {right arrow over (d)} and H_(min)({right arrow over (d)}|{right arrow over (x)}), and produces a sting of random numbers with arbitrary quality {right arrow over (r)}. Next FPGA returns {right arrow over (r)} to the user which can use the numbers in {right arrow over (r)} for the results of the lottery draw.

ACKNOWLEDGEMENTS

The inventors acknowledge the support of Foundation for Polish Science through grant First TEAM/2016-1/5. 

1. Device for a self-testing quantum number generator especially in lotteries and gaming comprising: interferometer, comprising: signal source S, at least two paths through which the signal travels, components that can modify the signal's properties A, interference region I, detectors D, characterized that the device comprises a control unit CU, while the control unit CU is connected to the signal source S, the signal is with interference property, components A that modify the signal's properties, and detectors D for measuring the signal's intensity by electrical wires, detectors D are configured to measure signal intensity and send the measurement results {right arrow over (d)}, via electrical wires to the control unit CU, components A are controlled by the control unit CU via electrical wires with parameters {right arrow over (x)}, the source S is configured to produce a signal when requested by the control unit CU via electrical wires, the control unit CU performs a self-test based on the measurement results a and returns its outcome H_(min)({right arrow over (d)}|{right arrow over (x)}) the control unit CU returns random numbers a, and the result of self-test H_(min) {right arrow over (r)}, where: {right arrow over (x)} is a vector representing the parameters for all components A, {right arrow over (d)} is a vector representing the measurement results of the detectors D, H_(min)({right arrow over (d)}|{right arrow over (x)}) is a lower bound on average min-entropy of the string of N₀ values of d, given by formula ${{H_{\min}\left( \overset{\rightarrow}{d} \middle| \overset{\rightarrow}{x} \right)} = {\log_{2}\max\limits_{\overset{\rightarrow}{k}}{p\left( {\overset{\rightarrow}{d} = \left. \overset{\rightarrow}{k} \middle| \overset{\rightarrow}{x} \right.} \right)}}},$ N₀ is a free parameter.
 2. The generator according to claim 1, comprises an interferometer of any design modified by addition of additional components B
 3. The generator according to claim 1, comprises an interferometer of any design modified by addition of additional components B and additional detectors D′
 4. The generator, according to claim 1, comprises a Mach-Zehnder interferometer, modified by addition of additional components B.
 5. The generator, according to claim 1, comprises a Mach-Zehnder interferometer, modified by addition of additional components B and detectors D′.
 6. The generator, according to claim 1, wherein the inputs {right arrow over (x)} are generated by the control unit CU from the randomness generated previously or the control unit CU receives it as an input from external source.
 7. A method for generating a string of random numbers especially in lotteries and gaming, comprising steps of: a) requesting from signal source S by control unit CU signal with interference property to be produced, b) sending parameters {right arrow over (x)} to components A by control unit CU c) transferring the signal from the source S, via component A, to interference region I and detector D, d) measuring the signal intensities by the detector D and sending the results of the measurement {right arrow over (d)} to the control unit CU, e) returning the measurement results {right arrow over (d)} as the output randomness, f) returning the min-entropy H_(min)({right arrow over (d)}|{right arrow over (x)}) as the outcome of self-test, g) repeating the step a-f.
 8. The method according to claim 7, wherein the method for self-testing comprises steps of: the control unit CU records the values of {right arrow over (d)} and {right arrow over (x)} from N₀ steps, where N₀ is a free parameter, the control unit CU estimates observed probability distribution using formula: ${{p\left( \overset{\rightarrow}{d} \middle| \overset{\rightarrow}{x} \right)} = \frac{\sum_{i = 1}^{N_{0}}{{\delta\left( {\overset{\rightarrow}{d},{\overset{\rightarrow}{d}}_{i}} \right)}{\delta\left( {\overset{\rightarrow}{x},{\overset{\rightarrow}{x}}_{i}} \right)}}}{\sum_{i = 1}^{N_{0}}{\delta\left( {\overset{\rightarrow}{x},{\overset{\rightarrow}{x}}_{i}} \right)}}},$ the control unit CU uses well-known linear or semi-definite programming, algorithms is used to find the minimum value of min-entropy H_(min)({right arrow over (d)}|{right arrow over (x)}), which is compatible with the observed value of p({right arrow over (d)}|{right arrow over (x)}), the control unit CU returns the value of H_(min)({right arrow over (d)}|{right arrow over (x)}), where δ(a, b) is Kronecker's function equal to 1 if a=b and 0 otherwise.
 9. The method according to claim 7, wherein the control unit CU using method for generating a string of random numbers while post-process it with well-known method of randomness extraction, which takes as an input {right arrow over (d)} and H_(min)({right arrow over (d)}|{right arrow over (x)}), and produces a sting of random numbers with arbitrary quality {right arrow over (r)}, then it returns {right arrow over (r)} instead of {right arrow over (d)} as randomness. 